Privacy Policy | Aletheia

1. Introduction

Aletheia Reliability LLC ("Aletheia," "we," "us," or "our") operates an AI-native Root Cause Failure Analysis (RCFA) platform (the "Platform") for industrial manufacturers and related enterprises. This Privacy Policy describes how we collect, use, store, and protect information submitted to or generated through the Platform.

This policy applies to all users of the Platform, including reliability engineers, maintenance managers, plant operations personnel, and IT administrators who access the Platform on behalf of their organization (each, a "Client").

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you are accessing the Platform on behalf of a Client organization, you represent that you have authority to bind that organization to this policy.

2. Information We Collect

2.1 Account and Identity Information

When a Client organization is onboarded to the Platform, we collect:

Name and email address of the IT Administrator and invited users
Organization name and billing contact email
Authentication credentials (passwords are stored as salted cryptographic hashes and are never stored in plaintext)
Single sign-on (SSO) identity provider identifiers, where SSO is configured

2.2 Investigation and Operational Data

The primary function of the Platform is to guide users through structured RCFA investigations. In connection with this function, users enter and the Platform processes:

Equipment descriptions, equipment numbers, make, model, serial number, and age
Failure event descriptions, dates, and operating context
Work order numbers and maintenance history summaries
Pre-failure conditions, investigation notes, and additional operational context
Follow-up question responses generated during AI-assisted investigation
Root cause candidates, final root causes, and causal trees
Action items, owners, due dates, completion notes, and work completion records
Attachments uploaded in connection with an investigation (e.g., photographs, work orders, equipment manuals)
Downtime duration and production cost estimates

This data is collectively referred to as "Investigation Data." Investigation Data belongs to the Client organization and is processed by Aletheia solely to provide the Platform services.

2.3 Usage and Technical Data

We automatically collect limited technical data to operate and maintain the Platform:

Login timestamps, session metadata, and login counts
Browser type and general device information passed in HTTP headers
Application error events captured by Vercel infrastructure logs (transient; not retained long-term)
Audit log events recording user actions within the Platform (e.g., RCFA status transitions, action item updates)

We do not use cookies for advertising or cross-site tracking. Session authentication is managed via secure, HTTP-only JWT tokens.

3. How We Use Information

We use the information described above solely for the following purposes:

Providing, operating, and maintaining the Platform and its features
Authenticating users and enforcing access controls within Client tenants
Transmitting Investigation Data to our AI processing subprocessor (OpenAI) to generate follow-up questions, root cause candidates, and action item recommendations on your behalf
Sending transactional and operational email notifications (e.g., action item reminders, plan expiry warnings) via our email delivery subprocessor (Resend)
Enforcing plan limits, contract terms, and usage quotas
Detecting and investigating security incidents or abuse
Complying with applicable legal obligations

We do not use Investigation Data to train AI models, build marketing profiles, sell data to third parties, or for any purpose other than delivering the Platform services to the Client.

4. AI Processing and OpenAI

The Platform uses OpenAI's API to analyze Investigation Data and generate structured recommendations. The following data practices apply to this processing:

Investigation Data submitted for AI analysis is transmitted to OpenAI's API over encrypted connections (TLS 1.2+)
OpenAI does not use data submitted via the API to train or improve its models. API customers are opted out of data sharing by default under OpenAI's published data use policy.
OpenAI retains API request and response content for up to 30 days for abuse monitoring purposes. This retention serves safety enforcement functions and is not used for model training.
Aletheia does not store raw AI prompt content beyond what is necessary to display results within the Platform and maintain the investigation record.

Clients with heightened data sensitivity requirements (e.g., enterprise deployments requiring Zero Data Retention at the OpenAI layer) should contact us to discuss available options.

5. Data Storage and Infrastructure

The Platform is hosted on infrastructure located in the United States (US East region). Specifically:

Application hosting: Vercel (single shared deployment, US East)
Database: Neon PostgreSQL — each Client organization is provisioned a dedicated database branch, providing logical data isolation between tenants
File storage: Cloudflare R2 — attachments and uploaded files are stored with tenant-scoped path prefixes, ensuring no cross-tenant file access is possible through the Platform
Email delivery: Resend
Authentication: WorkOS (SAML/OIDC SSO and MFA/TOTP)

By using the Platform, Client organizations acknowledge that their data will be stored and processed in the United States.

6. Data Isolation and Security

Aletheia implements technical and organizational measures designed to protect Investigation Data against unauthorized access, disclosure, alteration, and destruction:

Tenant data isolation is enforced at the database layer. Each Client organization operates in a dedicated Neon database branch. Application-layer controls prevent cross-tenant data access.
All data in transit is encrypted using TLS 1.2 or higher.
Data at rest is encrypted using Neon's and Cloudflare's default encryption mechanisms.
User passwords are stored as bcrypt hashes and are never stored or transmitted in plaintext.
Access to the Platform requires authenticated sessions. Sessions are managed via secure, HTTP-only JWT tokens with defined expiry.
Multi-factor authentication (MFA/TOTP) is available to all users and may be enforced by Client IT administrators.
SSO enforcement (SAML/OIDC) is available on supported plans, allowing Client organizations to manage access through their own identity provider.
Role-based access controls limit user capabilities within each Client tenant based on assigned roles (admin, IT admin, user, viewer).

No security measure is perfect. In the event of a data breach affecting Client Investigation Data, Aletheia will notify affected Clients in accordance with the timeline and procedures set forth in the applicable Data Processing Agreement.

7. Data Retention

We retain Investigation Data for the duration of the Client's active subscription or trial period. Upon termination or expiration of a Client's agreement:

Investigation Data remains accessible in read-only mode for a grace period as defined in the applicable agreement
Clients may request an export of their Investigation Data during the active or grace period
Investigation Data will be deleted from Aletheia's systems within 30 days following the end of the grace period, unless Aletheia is required by law to retain it for a longer period
Audit log records associated with the tenant will be deleted on the same schedule

Aletheia does not retain Investigation Data for any purpose after the deletion window has elapsed. Note that data transmitted to OpenAI for AI processing is subject to OpenAI's 30-day abuse monitoring retention independently of this schedule.

8. Subprocessors

Aletheia uses the following third-party subprocessors to deliver the Platform. Each subprocessor is bound by data protection obligations consistent with this Privacy Policy:

Vercel, Inc. — Application hosting and infrastructure (United States)
Neon, Inc. — PostgreSQL database hosting (United States, US East region)
Cloudflare, Inc. — File and attachment storage via R2 (United States)
OpenAI, LLC — AI analysis and recommendation generation via API (United States)
Resend, Inc. — Transactional and operational email delivery (United States)
WorkOS, Inc. — Enterprise SSO (SAML/OIDC) and MFA/TOTP authentication (United States)

We will notify Clients of any material changes to our subprocessor list that may affect the processing of their Investigation Data, providing reasonable advance notice where practicable.

9. Data Sharing and Disclosure

Aletheia does not sell, rent, or share Client Investigation Data with third parties for commercial purposes. We may disclose information only in the following limited circumstances:

To subprocessors listed in Section 8, solely to the extent necessary to deliver the Platform services
In response to a valid legal process (e.g., subpoena, court order) where we are legally compelled to disclose
To protect the rights, property, or safety of Aletheia, our Clients, or the public, where permitted by law
In connection with a merger, acquisition, or sale of all or substantially all of Aletheia's assets, provided that the acquiring entity agrees to honor this Privacy Policy with respect to previously collected data

Where legally permitted, Aletheia will notify the affected Client prior to disclosing their Investigation Data in response to legal process.

10. Client Rights and Controls

Client organizations have the following rights and controls with respect to their Investigation Data:

Access: Client IT administrators may access all Investigation Data stored within their tenant through the Platform at any time during the active subscription period.
Correction: Users may edit and update Investigation Data within the Platform. Note that RCFA records use soft-deletion to preserve audit trails consistent with good manufacturing practice (GxP) requirements.
Export: Clients may export Investigation Data in supported formats at any time during the active or grace period.
Deletion: Clients may request deletion of their tenant and associated data by contacting Aletheia. Deletion will be completed within 30 days of request confirmation, subject to any legal retention requirements.
SSO and Access Management: Client IT administrators control user provisioning, role assignments, and SSO configuration within their tenant.

11. Individual Users

Individual users of the Platform (employees or contractors of a Client organization) should be aware that:

Their use of the Platform is subject to their employer's or Client organization's policies and agreements with Aletheia
Client IT administrators have administrative access to all data within their tenant, including data entered by individual users
Requests to access, correct, or delete personal data (such as name or email address) associated with a Platform account should be directed to the Client organization's IT administrator in the first instance

Aletheia is not the primary controller of individual user personal data entered into the Platform — the Client organization is. Aletheia processes such data on behalf of the Client.

12. Changes to This Privacy Policy

Aletheia may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

Update the Effective Date at the top of this policy
Notify Client IT administrators via email to the billing contact address on file
Post the updated policy at the URL where this policy is currently published

Continued use of the Platform following notice of a material change constitutes acceptance of the updated Privacy Policy. If a Client organization does not accept a material change, it should discontinue use of the Platform and notify Aletheia to initiate data deletion.

13. Contact Us

For questions about this Privacy Policy, to exercise data rights, or to report a privacy concern, please contact:

Aletheia Reliability LLC
1915 2nd Ave Unit 1913
Seattle, WA 98101
Email: privacy@aletheiareliability.com